Hello, The author of a draft proposal on signed and encrypted DNS has submitted it to the IETF; a link was posted to a Toronto Asterisk (open source VOIP/telephony) mailing list. One of the main purposes of having this facility is to prevent DNS spoofing and "man in the middle" attacks. I thought this may be of interest to our audience: http://www.e164.org/docs/draft-groth-dns-encryption-00.txt One notable aspect of the draft (and a reason for its interest to the open source community) is its use of OpenPGP keys rather than X.509 certificates:
It would be a bad security decision to use X.509 certificates, SMTP-TLS has shown that very few commercial certificates have been purchased, most people use self-signed or invalid certificates.
Also:
With current threats existing for very short periods, typically hours to days at most, there is no practical reason for keys to expire in 1 or even 5 years, the primary reason most certificates expire with such frequency is due to monetary reason which is detrimental to security.
I hope this is of interest. The reason this was sent on a telephony list is because of the use of NAPTR resource records in DNS entries (see RFP 2915) to store telephone/VOIP number names as well as conventional Internet domain names. - Evan